Cisco Web Security Appliance¶
About¶
Cisco Secure Web Appliance protects your organization by automatically blocking risky sites and testing unknown sites before allowing users to click on them.
Product Details¶
Vendor URL: Cisco Secure Web Appliance
Product Type: Web proxy, network connection
Product Tier: Tier II
Integration Method: Syslog
Log Guide: What is logged in access log for HTTPS traffic User Guide for AsyncOS 11.0 for Cisco Web Security Appliances
Parser Details¶
Log Format: Custom
Expected Normalization Rate: 95-100%
Data Label: CISCO_WSA
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| GENERIC_EVENT | metadata.event_type |
| Cisco WSA | metadata.product_name |
| Cisco | metadata.vendor_name |
| method | network.http.method |
| http_response | network.http.response_code |
| observer | observer.hostname |
| client_ip | principal.ip |
| acl_decision_tag | security_resultacl_decision_label.key = ACLDecisionTag |
| custom_url_category | security_resultcustom_url_label.key = CustomURLCategory |
| transaction_result_code | security_resulttransaction_label.key = TransactionResultCode |
| data_source | src.hostname |
| target_ip | target.ip |
| target_port | target.port |
| target_url | target.url |
Product Event Types¶
| Event Type |
|---|
| All events |
Log Sample¶
<14>Sep 29 10:29:04 host SYSLOGAccessLogs: Info: 1632932944.490 90 10.147.88.13 TCP_MISS/200 0 TCP_CONNECT 10.10.10.1:443 - DIRECT/url - PASSTHRU_WBRS_7-DefaultGroup-LCAB.AuthExemptSource.ID-NONE-NONE-NONE-DefaultGroup-NONE <"IW_comp",9.0,1,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,"IW_comp",-,"-","Computers and Internet","-","Unknown","Unknown","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-,-> - 0 "Information about computers and software, such as hardware, software, software support; information for software engineers, programming and networking; website design; the web and Internet in general; computer science; computer graphics and clipart. Freeware and Shareware is a separate
Sample Parsing¶
metadata.event_timestamp = "2021-09-29T22:06:19.373454Z"
metadata.event_type = "GENERIC_EVENT"
metadata.vendor_name = "Cisco"
metadata.product_name = "Cisco WSA"
metadata.ingested_timestamp = "2021-09-29T22:06:19.373454Z"
principal.ip = "10.40.42.70"
principal.asset.ip = "10.40.42.70"
src.hostname = "url"
src.asset.hostname = "sync"
target.port = 443
observer.hostname = "host"
security_result.about.labels.key = "CustomURLCategory"
security_result.about.labels.value = "IW_comp"
network.http.method = "TCP_CONNECT"
Parser Alerting¶
This product currently does not have any Parser-based Alerting
Rules¶
Coming Soon